CISSP Domain 5: Zero Hour Exam Cram Series
Posted inCISSP

CISSP Domain 5: Zero Hour Exam Cram Series

No Comments

Identity & Access Management | Final 48-Hour Decision System

Most candidates don’t fail Domain 5 because of concepts

They fail because they focus on authentication methods instead of identity lifecycle and control intent. Domain 5 is not about MFA, SSO, or protocols alone. It’s about who should have access, why, and under what conditions.

The Identity Control Bias™

If identity is not controlled, access control is meaningless. If identity is weak:

  • Strong authentication won’t prevent misuse
  • Authorization becomes inconsistent
  • Access reviews become reactive
    ✓ CISSP rewards identity governance over mechanisms

The CISSP Decision Stack™

  1. Human Safety
  2. Legal / Compliance
  3. Identity Governance & Accountability
  4. Risk Optimization
  5. Technical Mechanisms
    ✓ If identity ownership is unclear, eliminate authentication-level answers

The Elimination Engine™

Eliminate This First

  • If identity ownership is unclear → ✗ Eliminate MFA / SSO answers → ✓ Establish identity governance (owner, lifecycle)
  • If excessive access exists → ✗ Eliminate authentication upgrades → ✓ Apply least privilege / role-based access
  • If access is outdated → ✗ Eliminate monitoring → ✓ Perform access review / recertification
  • If user lifecycle is unmanaged → ✗ Eliminate technical controls → ✓ Implement provisioning / deprovisioning
  • If privilege misuse occurs → ✗ Eliminate user restrictions → ✓ Apply separation of duties / privileged access control
  • If multiple systems require access → ✗ Eliminate manual login → ✓ Use federated identity / SSO

Core Concepts

Identity Lifecycle

  • Provisioning
  • Management
  • Review
  • Deprovisioning
    ✓ Lifecycle control prevents access sprawl

Authentication vs Authorization

  • Authentication = who you are
  • Authorization = what you can do
    ✓ Do not confuse identity proof with permission

Access Control Models

  • RBAC → role-based
  • ABAC → attribute-based
  • DAC / MAC
    ✓ Choose based on control requirement

Authentication Factors

  • Something you know
  • Something you have
  • Something you are
    ✓ MFA strengthens identity, not authorization

Federated Identity & SSO

  • Centralized identity across systems
    ✓ Reduces credential sprawl

Privileged Access Management

  • Elevated control for sensitive actions
    ✓ High-risk identities need stricter control

Kill-Zone Confusions

Authentication vs Authorization

  • Authentication proves identity
  • Authorization grants access
    ✓ Mixing these leads to wrong answers

Identity vs Account

  • Identity = person/entity
  • Account = system representation
    ✓ One identity can have multiple accounts

MFA vs Least Privilege

  • MFA strengthens login
  • Least privilege limits access
    ✓ One does not replace the other

RBAC vs ABAC

  • RBAC = roles
  • ABAC = attributes/context
    ✓ Use ABAC for dynamic environments

Exam Psychology Layer

Rule 1: Identity First

✓ If identity is unclear, fix governance

Rule 2: Lifecycle Matters

✓ Provision, review, deprovision

Rule 3: Least Privilege Wins

✓ Reduce access before adding controls

Rule 4: Purpose Over Mechanism

✓ Choose based on need, not technology

Rule 5: Accountability Drives Security

✓ Ownership defines control

Scenario Drill

Scenario 1

User retains access after role change

✓ Best Answer: Access review / recertification

Scenario 2

Multiple accounts with inconsistent permissions

✓ Best Answer: Centralized identity / IAM governance

Scenario 3

Unauthorized access despite strong authentication

✓ Best Answer: Fix authorization (least privilege)

Scenario 4

User onboarding delayed and inconsistent

✓ Best Answer: Automate provisioning lifecycle

Scenario 5

Privileged user misuses access

✓ Best Answer: Apply PAM + separation of duties

Scenario 6

Users manage multiple credentials across systems

✓ Best Answer: Implement SSO / federation

Scenario 7

Access granted beyond job requirement

✓ Best Answer: Apply least privilege / RBAC

Scenario 8

Dynamic access required based on context

✓ Best Answer: Use ABAC

Scenario 9

Terminated employee still has access

✓ Best Answer: Immediate deprovisioning

Scenario 10

Authentication strengthened but breaches continue

✓ Best Answer: Fix identity governance and authorization

60-Second War Recall

✓ Identity before authentication
✓ Authentication ≠ Authorization
✓ Lifecycle control is critical
✓ Least privilege reduces risk
✓ RBAC vs ABAC decision
✓ MFA strengthens login only
✓ Federation reduces sprawl
✓ PAM for high-risk access
✓ Ownership drives accountability

Final Insight

Domain 5 is not about authentication.

It is about controlling identity, managing access lifecycle, and enforcing accountability.

If your answer:

  • fixes identity governance
  • reduces unnecessary access
  • aligns permissions with roles

✓ You are aligned with CISSP thinking

Closing Line

Eliminate fast. Think Identity Architect. Control identity—govern access.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.